Signwell
v1.0.2SignWell integration. Manage Users, Documents, Teams. Use when the user wants to interact with SignWell data.
⭐ 0· 99·0 current·0 all-time
byMembrane Dev@membranedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (SignWell integration) match the instructions: all actions are performed via the Membrane CLI and the doc describes listing connections, running actions, and proxying requests to SignWell. There are no unrelated required env vars, binaries, or config paths.
Instruction Scope
Instructions are scoped to using the Membrane CLI (login, connect, action list/run, and proxy requests). They do not ask the agent to read local files or unrelated environment variables. Note: the skill recommends using Membrane's request proxy which lets you issue arbitrary API calls to SignWell through Membrane — this is expected behavior but means Membrane will see/hold your SignWell access and any data passed through the proxy.
Install Mechanism
There is no platform install spec, but SKILL.md tells users to install @membranehq/cli via npm (npm install -g or npx). That is a common but network-fetched install step; it executes third-party code from the npm registry. This is proportionate to the stated purpose but carries the usual supply-chain risk of running an external CLI package.
Credentials
The skill declares no required environment variables or credentials. Instead it relies on Membrane for authentication and browser-based login. That is proportional to the integration, but it shifts trust to Membrane (they will hold/refresh the SignWell tokens and receive proxied requests).
Persistence & Privilege
The skill does not request always-on inclusion, does not modify other skills' configs, and does not require system-wide config paths. Normal autonomous invocation is enabled (platform default).
Assessment
This skill appears to do what it says, but before installing or using it: (1) Understand that Membrane (getmembrane.com/@membranehq/cli) will hold and proxy your SignWell credentials and see any data you access — you are trusting that third party with account access. (2) Installing the CLI via npm or running it via npx executes code from the npm registry; verify the @membranehq package (publisher, version, and review changelogs) if you have supply-chain concerns. (3) Be cautious when using the proxy command — it can send arbitrary requests to SignWell through Membrane; limit requests to the minimum scopes/data needed. (4) If you need stronger assurance, ask for or inspect the Membrane CLI source/release artifacts and test with a least-privilege SignWell account. (5) Confidence is medium because this is an instruction-only skill (no code to statically analyze) and it depends on a third-party service and npm package.Like a lobster shell, security has layers — review code before you run it.
latestvk9799pz5jwmzcb6xykafaaz91s842tzk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.